This article gives you the content is dynamic defense WAF technical principles and practical programming.
The core technology by introducing ShareWAF point, to show the advantages of dynamic defense, the realization of ideas, and programmatically real way to show how to apply dynamic defense WAF technology in the product development process.
ShareWAF is a dynamic defensive WAF products, the application of dynamic defense technology in the anti-automation ***, anti reptiles and other fields.
Compared to traditional WAF, dynamic defense type of WAF, there are very significant advantages:
[Dynamic defense advantages, principles]
In summary, the advantage is reflected in two words: active defense, unforeseen
Traditional WAF, is waiting for the arrival of ***, *** identify, and then to resist ***.
After application of dynamic defense technology, WAF will reverse *** mode: no longer passive, but always in a proactive, positive protection status.
for example:
If a door is opened:
Under the traditional WAF state, scene after the door is always the same.
If it is dynamic defense WAF, every time you open the door to see the scenery will be different, it may be prairie, may be wheat fields. Namely: random variation and unpredictable.
Another example:
Such as archery:
Traditionally state WAF, flak is fixed.
If dynamic defense WAF, flak would move randomly. Namely: the dynamic changes, the target unpredictable.
Specific to the WAF products.
Such as anti-brute, traditional WAF may adopt a set of rules, such as: visitors IP or device fingerprint + + logon behavior continued attempts to log the number of consecutive failed login attempts +, adopt rules to determine whether acts of brute force.
This is orthodox, law-abiding defense concept, is passive.
In this process, *** *** who can initiate a sustained. Moreover, by using a proxy *** can modify equipment characteristics, etc., to avoid the WAF rules, try to be WAF Bypass.
And if it is dynamic defense
To ShareWAF, for example, in the fight against brute force this feature point, the approach taken is completely different:
ShareWAF will be a critical break point, dynamic packaging, such as: user name.
Specifically: front protection, the user name in the web page are often fixed element name username and the like. *** brute who will use automated tools or scripts to automatically assign it a value, and then initiate the request, attempts to log on, repeated this process that is ***.
ShareWAF will encapsulate username, but dynamic, the UE initiates the access request will no longer be obtained username, is obtained each time a random number string.
In this way, automated tools or scripts can not locate the key points of brute force, the assignment. *** behavior was at the front end.
ShareWAF anti-crawler also uses a similar concept.
[Dynamic programming combat defense WAF]
Front theory, followed by combat, to prove the feasibility of the theory, demonstrate how to apply dynamic security protection technology in programming development.
Through the routine, respectively, demonstrate ShareWAF anti automation ***, core anti-reptile function implementation.
Anti-automation ***
Here through a routine, one of the most simple login pages, dynamic simulation ShareWAF how to use this type of defense technology to brute force automation *** defense.
The key elements of the login page, usually something like this:
<form>
User:<input name="username"/>
Pass:<input name="password"/>
</form>
Displayed in the browser is a simple login page, provide a user name, password, and log.
*** When those brute force, possible ways are: username element of the assignment, and initiate log in; or enumerate break with Burp Suite and other tools to intercept and modify data packets.
WAF here and not talk about the traditional means of coping, straight into the subject, see how ShareWAF is dynamic defense.
Only a few dozen lines of code routines, showing the core of the "dynamic" concept.
This is a NodeJS code that implements a web service, which incorporates ShareWAF dynamic defensive philosophy.
Code features a simple analysis:
A Key: dynamic deformation pool, and the username for storing correspondence between the contents of dynamic deformation;
Focus on two: when the page is accessed, a username elements of dynamic deformation, deformation to the deformation of the correspondence between the storage pool, and send content after deformation to the browser. When this is done, the browser was originally static username element will occur dynamically changes each time you visit or refresh:
Pay attention to the top of the name value, which should be username, and then a string of random variation, both figures name value is different, in fact, different every time.
*** If the person had cracked automated script:. Document.getElementById ( "username") value = "***", this time will be invalid because the username was gone, and unpredictable.
Packet sniffer like Burp Suite, interception, modification tools are also ineffective, because the key fields username gone.
Dynamic defense of the idea that is the case. Of course, this is not all, just a small part of a dynamic defense applications.
Focus on three dynamic deformation over the username of course, need to be restored, otherwise it will affect the original business functions. Code "modified cell" is stored in the username and "deformation code (i.e.: deformation random character string)" correspondence. By correspondence, you can easily revert back to the username, the WAF function, then the data will be forwarded to restore the site to be protected, to achieve normal business processes.
FIG: username has been reduced:
Anti reptile
An example of the former is the application of a dynamic defense for content, in the field of anti-reptile, dynamic defense are different.
There are many types of reptiles, reptile want to say the following anti accurate to say anti-reptile content, prevent content from being crawled, can also be understood to be copied to prevent web content.
Anti content reptiles, one way encrypted font is conventional, i.e. to use custom fonts.
However, in general, custom fonts anti-climb easily cracked: After obtaining the font, it is easy to reverse analysis *** who come word corresponding logical, and thus restore the original content. ShareWAF anti content reptiles in a custom font based on the addition of the "dynamic" concept:
The font path to become a dynamic, font files can not be downloaded.
Implement this part of the function, similar to the previous principle, also before the data is sent to the browser to a specific content: font path, do dynamic change process, when requested, and then revert to the original correct path, the file It can be read.
One thing special about that: In order to prevent from viewing the page source code font path, download the font file, but also on "dynamic" path increases the access time restrictions, use a function that is invalid. So, reaching: while loading the page file can be read normally, but illegal access to the destination file path can not open.
Show results:
In these two figures can be seen: the font path is changed, the address from the browser to open the file, the file can not be read and downloaded.
The font into a dynamic font, prevent reverse analysis.
Custom fonts dynamic technique, as referred to in ShareWAF: cipher variable dynamic font.
If the traditional custom font encryption, corresponding to a cryptographic technique, also similar to the digital paging code table:
Which uses one or a few numbers, instead of one or several words.
Specific to the page text content encryption anti-climb, the effect is as follows:
That is the normal display "Text" page, but does not actually exist in the source code, there is a "character" corresponding password characters.
This text is not replicated, copied the entire text of a web page, the "code words" part will be missing:
So, reptiles will not be copied, can not crawl content.
Implement this technique relies on a custom font, namely the introduction page in the source code css font file functions:
That is, the need to introduce a custom font file.
Since knowledge is not the focus of this article define the font file, skip this. Our focus is to achieve "Dynamic Custom autologous file."
The reason for this is:
If you are using fixed correspondence between a custom font files, fonts and numbers that can be drawn from the analysis. As described above:
Ԕ; said, "I", ԕ; that "you" and so on.
In order to prevent the correspondence between being analyzed, we need to add a password fonts also dynamic processing.
In the present embodiment, there is provided a method for generating a new transcoding Font:
This is the operating results:
We can see the emergence of new relationship, before Ԕ; that "I", ԕ; that "you" is different.
Such dynamic changes in font encoding, you can prevent text and digital code corresponding relationship is analyzed to obtain.
Above, is ShareWAF dynamic defense technology in the anti-automation ***, anti application reptile scene.